HPE Community
Comware Based
1830504 Members
2403 Online
110006 Solutions
New Discussion

Re: Acl not working correctly on hp 5820 switch

 
sandore
Occasional Advisor

‎02-12-2015 02:13 AM - edited ‎02-12-2015 02:26 AM

‎02-12-2015 02:13 AM - edited ‎02-12-2015 02:26 AM

Acl not working correctly on hp 5820 switch

Hello,

 

I am trying to configure acl between two vlans, so I want to allow a specific ip address which is 192.168.20.28 255.255.254.0 on interface vlan 20 to be able to reach any ip on the interface vlan 7 subnet 192.168.2.0 255.255.255.0.

So I configured basic acl 2001:

 

rule 0 permit source 192.168.20.28 0

rule 100 deny source any

 

now on the interface vlan 7 or on the port which connects vlan 7, I used:

packet filter 2001 inbound

but its blocking everything even ip 192.168.20.28

 

What is wrong with the acl?

0 Kudos
2 REPLIES 2
sandore
Occasional Advisor

‎02-12-2015 05:13 AM

‎02-12-2015 05:13 AM

Re: Acl not working correctly on hp 5820 switch

I managed to solve the problem by creating advanced acl and applying it to the outbound interface not inbound, and its working successfully

0 Kudos
Apachez-
Trusted Contributor

‎02-14-2015 03:56 AM - edited ‎02-14-2015 03:58 AM

‎02-14-2015 03:56 AM - edited ‎02-14-2015 03:58 AM

Re: Acl not working correctly on hp 5820 switch

This might be valid for your case where you attempt to apply an ACL on a VLAN rather than a physical interface:

 

"

A5800_5820X-CMW520-R1809P02

 

New feature: Applicable scope of packet filtering on a VLAN interface

 

Configuring the applicable scope of packet filtering on a VLAN interface


You can configure the packet filtering on a VLAN interface to filter the following packets:
• Packets forwarded at Layer 3 by the VLAN interface.
• All packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.


To configure the applicable scope of packet filtering on a VLAN interface:

 

Step

Command

Remarks

  

1. Enter system view.

# system-view

N/A

 

2. Create a VLAN interface and enter its view.

# interface vlan-interface vlan-interface-id

If the VLAN interface already exists, you directly enter its view.

By default, no VLAN interface exists.

  

3. Specify the applicable scope of packet filtering on the VLAN interface.

# packet-filter filter [ route | all ]

By default, the packet filtering filters all packets.

 

Command reference

# packet-filter filter

Use packet-filter filter to specify the applicable scope of packet filtering on a VLAN interface.

Use undo packet-filter filter to restore the default.

 

Syntax

# packet-filter filter [ route | all ]

# undo packet-filter filter

 

Default

The packet filtering filters all packets.

 

Views

VLAN interface view

 

Default command level

2: System level

 

Parameters

route: Filters packets forwarded at Layer 3 by the VLAN interface.

all: Filters all packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.

 

Examples

# Configure the packet filtering on VLAN-interface 2 to filter packets forwarded at Layer 3.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] packet-filter filter route

"

 

The above simply means if you just want to protect the VLAN-interface itself you should use the "route" option, while if you want to filter whatever flows within your VLAN (like traffic between clients who doesnt pass the VLAN-interface) then you should use the "all" option.

 

Another option is also to simply filter on the physical interfaces themselfs.

 

Basically (unless I forgot some) you have 4 options if you want to apply a filter:

 

1) In the physical interface.

2) In the VLAN.

3) In the VLAN-interface.

4) In the routingtable (usually in combination with uRPF, null routed hosts/ranges will then get dropped in both directions).

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.